Malware Awareness - EMOTET resurges with new detections

Product / Version includes:

Apex One as a ServiceAll , Deep Discovery InspectorAll , Apex OneAll , Deep SecurityAll , Worry-Free Business Security StandardAll , Interscan Messaging Security Virtual ApplianceAll , ScanMail for ExchangeAll , Worry-Free Business Security AdvancedAll

Last updated: 2021/12/07

Solution ID: KA-0007821

Category: Troubleshoot , Remove a Malware / Virus , Update

Summary

Ten months after its massive takedown in January of 2021, Emotet is back and seeking resurgence. This malware, which first appeared in 2014 as a banking trojan, attempts to infect computers and steal sensitive information. It spreads through spam emails (Malspam) via infected attachments and embedded malicious URLs. In some of its spam campaigns, the emails commonly have a financial theme and appear to come as a reply to a previous transaction by using fake payment remittance notices, invoice attachments, or payment details.

Fast forward to November 2021, the Trickbot banking trojan was observed to download and execute updated Emotet binaries to computers previously infected with Trickbot with macro-laden Microsoft Excel, Microsoft Word, and a password-protected ZIP archive containing a Word document as payloads, marking the resurgence of the highly known sophisticated threat.

Emotet evolved multiple times over the years since 2014, and turned its operations into a successful crimeware rink. It provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers to infect them with other malware such as TRICKBOT, QBOT, and RYUK Ransomware. For this reason, it has been known to be one of the most professional and most potent cyberthreats in history.

BEHAVIOR

Delivers more dangerous payload such as Ryuk ransomware by renting Emotet-infected machines to other malware groups.
Steals computer data, computer name, system local, operating system (OS) version and running processes.
Steals User credentials, financial and banking information.
Steals usernames and passwords of different mail clients.
Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information.

CAPABILITIES

Information Theft: Yes
Rootkit Capability: Yes
File Infection: Yes
Propagation: Yes
Download Routine: Yes

INFECTION CHAIN

IMPACT

Compromise system security - with backdoor capabilities that can execute malicious commands.
Violation of user privacy - gathers and steals user credentials of various applications.

AVAILABLE SOLUTIONS

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
Email Protection	Yes	AS Pattern 4134	4-Oct-18	Spam
Email Protection	Yes	AS Pattern 4934	26-Sep-19	Spam
URL Protection	Yes	In the Cloud		Malware Accomplice, Disease Vector, Ransomware
Predictive Learning (TrendX)	Yes	In the Cloud		BKDR.Win32.TRX.XXPE50F13005
				Ransom.Win32.TRX.XXPE50FFF027
				TROJ.Win32.TRX.XXPE50F13005
				TROJ.Win32.TRX.XXPE50F13005R2D6F
				Ransom.Win32.TRX.XXPE50F13005
				Downloader.VBA.TRX.XXVBAF01FF005
				Troj.Win32.TRX.XXPE50FFF031
				Downloader.VBA.TRX.XXVBAF01FF005
				TSPY.Win32.TRX.XXPE50FFF050E0002
File detection (VSAPI/Smart Scan) and Advanced Threat Scan Engine (ATSE)	Yes	OPR 14.541.00	2-Oct-18	TSPY_EMOTET.THJOBAH
				TSPY_EMOTET.THOIBEAL
				TSPY_EMOTET.OIBEAL
				TSPY_EMOTET.THJOAAH
				TSPY_EMOTET.THAOOAAH
				TSPY_EMOTET.THOIBEAK
				TSPY_EMOTET.OIBEAJ
				TSPY_EMOTET.THIBGAH
				TSPY_EMOTET.THOIBEAI
				PDF_EMOTET.THIBOAH
				PDF_EMOTET.THIAGAH
		OPR 15.375.00	20-Sep-19	TrojanSpy.Win32.EMOTET.SMCRS
				TrojanSpy.Win32.TRICKBOT.SMB1.hp
				Trojan.W97M.POWLOAD.TIOIBEFV
				TrojanSpy.Win32.EMOTET.THIAHAI
		OPR 15.391.00	25-Sep-19	TrojanSpy.Win32.EMOTET.SMTHF
				Trojan.JS.EMOTET.TIABOFCF
				Trojan.W97M.EMOTET.AFKJ
				Trojan.Win32.EMOTET.CFO
				Trojan.XML.EMOTET.AFJO
				TrojanSpy.Win32.EMOTET.THIBFAI
		OPR 17.201.00	19-Nov-21	TrojanSpy.Win32.EMOTET.SMYXBKO
		OPR 17.203.00	20-Nov-21	TrojanSpy.Win32.EMOTET.SMYXBKP
		OPR 17.211.00	24-Nov-21	TrojanSpy.Win32.EMOTET.SMYXBKVZ
Behavioral Monitoring (AEGIS)	Yes	TMTD OPR 1797	15-Jun-18	2980T
Behavioral Monitoring (AEGIS)	Yes	TMTD OPR 1877	4-Mar-19	FLS.LDX.4555T
Network Pattern	Yes	HTTP_EMOTET_REQUEST-5
Network Pattern	Yes	HTTP_EMOTET_REQUEST-4
Deep Discovery Inspector Rule	Yes	Rule 1541: EMOTET - HTTP (Request)
		Rule 2608: EMOTET - HTTP (Response) - Variant 2
		Rule 2701: Possible EMOTET - HTTP (Response) - Variant 3
		Rule 2897: EMOTET - HTTP (Request) - Variant 4
		Rule 4232: EMOTET - HTTP (Request) - Variant 5
Tippingpoint Filter Rule	Yes	28409: HTTP: Emotet Checkin Request

RECOMMENDATIONS

Make sure to always use the latest pattern available to detect the old and new variants of EMOTET Malware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement our Best practice configuration for TrendMicro products. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
You may also check the article on Submitting suspicious or undetected viruses for file analysis to Technical Support.

For support assistance, contact Trend Micro Technical Support.

Threat Report

Blogs

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Malware Awareness - EMOTET resurges with new detections

BEHAVIOR

CAPABILITIES

INFECTION CHAIN

IMPACT

AVAILABLE SOLUTIONS

RECOMMENDATIONS

Threat Report

Blogs

Malware Awareness - EMOTET resurges with new detections

Product / Version includes:

Summary

BEHAVIOR

CAPABILITIES

INFECTION CHAIN

IMPACT

AVAILABLE SOLUTIONS

RECOMMENDATIONS

Threat Report

Blogs